Most people don’t spend much time thinking about what complex organizations hospitals are. Whether anticipating the joyful arrival of a newborn baby or worrying about an unexpected illness or injury, hospital visitors aren’t usually thinking about cybersecurity. Even most hospital employees only see a piece of the big picture, with little reason to consider operational risk.
But lots of people are indeed losing sleep over cyber threats to patient safety — IT administrators and clinical engineers diligently working to identify risks and implement controls. The rapid digital transformation of the healthcare sector, including the widespread implementation of electronic health records (EHR) and the introduction of connected medical devices (medical Internet of Things (IoT)), has introduced new challenges that many health systems have not had to address in the pre-digital era. Early threats were in the form of data breaches of protected patient health information. The stakes are increasing as recent cyber-attacks disrupt service putting in jeopardy the safety and quality of patient care.
Small hospitals to large healthcare systems, all struggle to keep up with the deluge of threat vectors and related regulations. The proliferation of connected medical devices significantly compounds risks and vulnerabilities. These devices operate on a wide variety of protocols and software platforms; specialized hardware and operating systems are often difficult to patch and can’t be secured with standard endpoint security solutions. Medical devices also stay in service much longer than PCs and servers, making it impossible to predict all the ways they could become vulnerable to cyber attacks. In other words, the attack surface in hospital settings is larger and more complicated to defend than in any other industry.
Evolving Hacker Behaviors to disrupt healthcare services
Hospital leaders aren’t the only ones who recognize the high stakes and growing risks. For several years, hackers have been targeting healthcare organizations, stealing valuable patient data to sell on the black market, commit insurance fraud, and support similar schemes. The theft of health care records continues to be a major concern for healthcare providers, but in the last couple of years, attacks of a different nature have become more alarming — those in which hospital systems are held hostage through botnet and ransomware attacks.
Consider the global WannaCry attack from summer of 2017. Despite the nature of attack being ransomware and motivated by immediate financial gains, healthcare organizations were severely impacted by cancellation and postponement of procedures as a precaution. Imagine the ramifications if the attacks were designed specifically to disrupt patient care by targeting connected medical devices.
Different kind of risks to patients
The ramification of one’s EHR being stolen is relatively well understood – use of the data to commit fraud of all kind. The result of an attack on connected medical devices is less well understood but can be far more severe. In a digitally transformed hospital, physical harm to patients by the likes of infusion pumps is a real possibility. It’s no surprise that this is the threat keeping healthcare executives, IT administrators, and clinical engineers up at night. This potential nightmare scenario has come into focus partly due to ransomware attacks, but also because we (and hackers) understand more about the vulnerabilities introduced through IoT devices.
IoT devices such as connected medical devices have become increasingly common in recent years. These devices, include units such as infusion and insulin pumps, ultrasound machines, X-Ray, ECG, and MRI machines. Supporting devices such as PACS servers and DICOM viewers are also included. And then there are the non-medical IoT devices to consider: printers, intercoms, security cameras, thermostats, tracking systems, and more. All these devices are vulnerable to physical and remote hacking. Wide range of combinations of devices and attack vectors could be used to physically endanger or harm a patient (or threaten harm to extort money or coerce action.) Obviously, operating day-to-day under the weight of such risks is untenable.
New approach for new wave of threats
Hospitals are turning to IoT-specific solutions to contain the threat of physical harm to patients and disruption to operations. Off-the-shelf cybersecurity solutions like firewall, anti-virus, and endpoint protection software are not sufficient. Most IoT devices have limited computing capacity to support endpoint agents and cannot be easily patched. Proactive/vulnerability scanning solutions can often overwhelm medical devices causing interruptions in operations.
Unfortunately, identifying the right security solution is only part of the solution. In order to quantify the scope of security risks, hospitals must have real-time visibility into their connected medical devices. Creating and maintaining a comprehensive, real-time inventory of IoT devices is essential to securing them. Room-to-room device audits and use of spreadsheets for inventory management, simply can’t cope with the dynamic nature and large scale of IoT devices.
To add to the challenge, hospitals simply can’t hire enough cyber security experts to provide comprehensive protection the old fashion way. Manual intervention when faced with a barrage of modern sophisticated attacks across ever growing number of connected devices, cannot scale sufficiently to protect the organization’s network and devices.
For all these reasons, hospital leaders are turning to artificial intelligence (AI) and machine learning solutions to strengthen the security of their connected medical devices. AI-based solutions can discover IoT devices on the network, assess its unique characteristics, learn its typical behaviors, and then monitor for abnormal behaviors and generate alerts. AI solutions can perform risk assessment in real-time that covers the unique parameters and features of many different kinds of devices — a task that would be impossible to perform manually. These solutions assess hardware, operating systems, communications, and other factors to give each device a risk score and alert admins if the device is at high risk.
The right security solution combined with the right visibility tools can go a long way to protect hospitals from the latest modern threats. However, the challenges faced by hospitals extend far beyond just the technology. The device manufacturers and policy makers need to work together with the hospitals and security vendors to form a coordinated approach to ensure patient safety. The same coordination is required inside the hospitals as well. IT staff and clinical engineers operating along different processes and priorities must coordinate their efforts toward the common goal.
It’s imperative for hospital leaders keep pushing IoT security agenda to the forefront and demand security be part of every connected device discussions from purchase to deployment and ongoing management. Although changes are being implemented across the industry, there is no doubt that hospitals remain the last line of defense to ensure uninterrupted care. Simply reacting to latest threat will certainly be too little, too late. Advancements in connected medical device technology has amazing potential to save and improve lives. We can’t let it become a weapon in the hands of cyber criminals.
Co-written by Dr. May Wang, co-founder and CTO of ZingBox, a leader in IoT security-more specifically for medical devices and Dr. Maia Hightower, CMIO of Iowa University Health Care.